COI Report – Part IV
Page
174 of
425 of what IHiS staff had known by that point in time. The updated version as of pm on 9 July 2018 that Ernest sent to the attendees included the following
NOTABLE EVENTS
A potential sucessful [
sic] DB database dump […] a domain administrators account is already compromised even before Citrix breach the same domain administrators account is constantly being used to clear the logs
Priv account was removed from
local admin group to deny RDP but it was added back again
CONSIDERATIONS
What if Domain Controllers are compromised Potentially all LDC citrix servers are compromised. Consider checking with IHIS pentesting team, to check for common AD password dumping tools, and search for traces anywhere on SingHealth PCs/Servers […]
551. Wee has explained that the notable events and considerations listed above
were shown during the meeting, but were not the focus of the meeting.
552. At the meeting, Woon Lan asked Wee for his assessment of the incident, and asked whether there was a need to escalate the matter to senior management.
33
Based on what was discussed at the meeting, he had “
some concerns that (he) was notable to confirm”, and that he “
still thought it may not be a security incident”.
553. Examples of such concerns include concerns over the fact that there were suspicious SQL queries on the SCM database, and that the AA. application account was being used. On the deletion
of the Windows event logs, Wee was This is contrasted against Ernest’s claims in his conditioned statement that “
At this meeting, we did not discuss whether the matter should be escalated to IHiS senior management”.
